CryptoRhythm: Analyzing and disrupting a PayPal scam (with love and toucans!)
Dear customer. Your Account Has Been Blocked. Please check your account information by clicking the link below.
At this point, we’re all used to receiving a few (if not tens or hundreds of) scam emails a week. Modern email services do an outstanding job of keeping these messages relegated to the spam folder through SPF, DKIM, and DMARC authentication. Still, a message or two will slip through on occasion. Such was the case when I found the following email in my inbox about a week ago.
Disclaimer: I don’t recommend clicking on spam links, even to pentest the website. If you choose to do so, be sure to use a VPN.
Initial contact
As one of the world’s largest online payment systems, PayPal is an obvious target for hackers and scammers. Groups on the dark web frequently sell compromised accounts on the site for as little as $200. Like the one above, these emails will attempt to draw out various sensitive details from users like account passwords, payment information, social security numbers, images of government IDs, and information PayPal itself doesn’t even collect, such as debit card PINs.
While purporting to be sent from the official PayPal email service@paypal.com, this email is actually from hello@mynumerology(dot)in using an account named ‘service@paypal.com’. This technique is usually easy to spot because most email services show the sender's name and email in the message header.
I decided to do a bit more reconnaissance before proceeding to the scam website. mynumerology(dot)in indeed does not provide SPF or DMARC records that authenticate email sent from its domain, allowing scammers to spoof email from it.
This website itself seems fine. As mentioned previously, the scammers are taking advantage of the domain’s lack of email security policies to send spam from it, and the website’s owners likely aren’t complicit.
PayPal encourages users who receive phishing emails targeting their services to forward them to spoof@paypal.com, which I did before exploring the scam any further.
synxdeveloper(dot)com
The link included in the email led to synxdeveloper(dot)com. By the time I had browsed to it, Google’s Safe Browsing feature had already identified the site as a phishing campaign, which probably cut down on the scam’s success rate significantly.
The site is one of the better PayPal impersonations I have seen in a while. Beyond the obvious indicator that the domain name is incorrect, the text at the bottom of the site states that this version of PayPal is served to Singapore residents (perhaps where the CryptoRhythm author resides). This would not be the same site served to US residents. Buttons other than the “Log In” button do not function, either.
Taking a moment to check the WHOIS database, I saw that the domain was registered only a short time ago.
Domain Name: SYNXDEVELOPER.COM
Registry Domain ID: 2561479332_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.tucows.com
Registrar URL: http://tucowsdomains.com
Updated Date: 2020-09-25T05:35:28
Creation Date: 2020-09-23T05:49:51
Registrar Registration Expiration Date: 2021-09-23T05:49:51
Registrar: TUCOWS, INC.
Registrar IANA ID: 69
Reseller: Yahoo Small BusinessI also noticed that URL parameters for country, locale, and what is probably a client ID were set when browsing to the site, but modifying each of them didn’t yield any interesting results.
After supplying some fake credentials, I stepped through several pages attempting to obtain additional information, including billing address, debit card number and PIN, birth date, social security number, and even a copy of the user’s passport or other government-issued ID.
Experimenting with sqlmap + ZAP
I started by hitting the URL parameters with sqlmap to test for SQL injection vulnerabilities. However, this wasn’t very successful because, as I would discover later, the application wasn’t storing any form data and was simply emailing it to the scammer when the user submitted it. At least I probably hindered the scammer from finding any real user data by sending them thousands of emails filled with garbage SQL input.
Next, I ran OWASP’s ZAP web scanner on the site. This attempt was much more fruitful, specifically through the use of the spider to find a bunch of URLs that weren’t linked directly from the main page.
Most of the pages didn’t provide any interesting information— they were primarily blank or contained error messages. Then I browsed to the /img directory…
mhamdi_manager (aka U7TiM4TE_H4x0R Plugin)
I was very surprised to see that the scammer had left a management application unprotected, albeit in an obscure directory. I was even more surprised to see that it contained a (mostly) functional file browser complete with actions to upload, edit, or delete files. Unfortunately, neither the “Anon shell” or “Adminer” buttons worked. I would have to obtain my own shell.
Whatever the “mhamdi_manager” or “U7TiM4TE_H4x0R Plugin 2018” page was, I don’t believe it was part of the original application, instead being added on to the application by the scammer that purchased this instance of CryptoRhythm. Either way, it made my goal fairly easy to accomplish.
By poking around in the management application a bit more, I was able to learn that this scam was called CryptoRhythm and had existed long enough to be on version 2.1. Unfortunately, there was no developer contact information included in the file. :)
Since neither the “Anon shell” or “Adminer” buttons in the management application actually functioned, I needed to write and upload my own PHP backdoor. Using the innocuous name img.php, I uploaded the simple file below to the /img directory using the management application.
Finding victim files
It works! Using my backdoor, I was able to browse beyond the scope of the management application and inspect the file system.
Here, I found out that while user data wasn’t actually being collected and stored on the web server, victims’ uploaded “verification documents” were accessible to anyone with the link to them.
I definitely took the liberty of deleting these from the server, although I highly doubt that I arrived soon enough to prevent the scammers from downloading them. The IDs and any additional data I could find have been forwarded to PayPal in the hope that they can notify the victims of the scam. I also deleted the folders that contained the images so that future uploaded images would fail to save.
Preventing others from being scammed
While inspecting the code, I learned that the scam site is simply emailing all form data to the scammer rather than storing it locally. This is probably to prevent data loss due to the short-term nature of most scam sites. I found the line below in a mailer.php file. It controls the email address where inputted data is forwarded.
I simply changed it to one of my Spamex forwarding addresses that in turn sent it to spoof@paypal.com. I also contacted ProtonMail to report the scammer’s “papa05@protonmail.com” address, but I don’t believe any action could be taken against the account since there was no way to verify that the scammer owned it.
The scammer didn’t seem to notice the different email address, as it remained the same for a period of several days. During that time I was also able to analyze a few test emails that I sent through the site.
There used to be a scam here…
Eventually, the scammer noticed that I had tampered with the email settings and reset most of the application while also restricting access to the management page. I would have assumed that they were using Docker or another application to run the scam site in a container, but apparently not (or my basic backdoor was just good enough for them to think it was part of the application and back it up, because I was able to get right back in using it).
After gathering all the source code and copying it to my PC, I wanted to prevent the scam from functioning any further. To not risk a complete infrastructure burn-down by running rm -rf * from the root directory (and thus risking losing my backdoor access in the event the scammer restores the site), I simply edited the front page.
The scammer and I went back and forth for a few days by restoring and deleting the main page, but I don’t think they were able to find my backdoor. Eventually, I browsed to the site one night after work and found that either they were tired of my memes or that the scam on this domain was no longer generating useful data (probably a bit of both…).
A side note on CryptoRhythm
I can find a few references to CryptoRhythm on the clear web, mostly for older versions targeting other platforms and by those looking to sell the scam kit for around $20. There’s also an old “mhamdi_manager” page cached on Google, although I don’t believe this application has any relation to the scam.
Regardless, I uploaded the code (with a few choice deletions) to a private GitHub repository. I’d happily give anyone who wants to learn about phishing kits access if I can verify you have an established interest in security topics.
